Recent searches

No recent searches

Search options

Only available when logged in.
sigmoid.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A social space for people researching, working with, or just interested in AI!

Administered by:

Server stats:

602
active users

sigmoid.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.1

#leak

6 posts6 participants1 post today
Martin Seeger

"Repeated data leak offender" - Looking for contacts in Malaysia

This #leak is a really weird story and I am looking for help in #Malaysia.

If I were in the medical business, I would be very careful about what pictures of my customers I store longterm. And there would be tons of safeguards before I would allow them to be stored in a bucket (#Microsoft #Azure #Blob in this case). At the very least I would make sure that the Blob IS NOT world readable and world indexable. Should this ever happen to me, I would be so deeply ashamed that this shame would eternally prevent me from doing the same mistake again. Doing this over and over again takes the approach to IT security and privacy protection to a new low.

This brings us to BP Healthcare, a Malaysian healthcare giant that runs a multitude of businesses in that country. This includes online health services, laboratories, pharmacies, dental clinics, eye centers and much, much more. According to their own publications, they serve 35 million customers. Furthermore they seem to rely heavily on cloud services.

While other data leaks (at least four we know of) inside the sprawling empire of BP Healtcare since April 2019 were mostly fixed in a timely fashion (but without ever acknowledging the problem or answering at all), we currently see no less than three Azure blobs with a gigantic amount of data on which (even though the security researcher inquired multiple times) no action is forthcoming.

The data includes

  • One Blob with 1.5 million prescriptions, receipts and invoices
  • One Blob with 1.7 milltion invoices for healthcare services
  • One Blob with 1.8 million assorted documents

The last blob is the most critical as it seems tied to a medical service provided via chat. The blob contains (among other) things images customers uploaded to show their medical problems. Naturally this includes their customers being in varying state of undress. Surprisingly, a lot of the telemedicine chats involved named patients seeking diagnosis or treatment for sexually transmitted diseases.

We are looking for a government agency (or contact in the technical press) that would take a long hard look at all the ITZ operations of BP healthcare. The fact that we see the same problem occurring again and again worries us deeply. Sometimes it is even the same subsidary that is having the same problem. Furthermore they are exposing the most intimate information about the customers. There are several warning signs, that the trouble may run deeper than just these leaks.

Closing remark: I usually do a PostMortem of the data leak including the URL of the leak that was closed. This will not happen in this case. Even a first glance at the cloud infrastructure paints a worrying picture and we are not confident that they will not reopen (assumed they close it in the first place) the leak at some point in the future. Thererefore I will abstain from naming it in the report.

bphealthcare.comBP Healthcare
*
Martin Seeger

Update 2: PostMortem published here: infosec.exchange/@masek/114800

Update: The leak is closed since July 2nd. Will write a postmortem on Saturday and add a link.

Do I have someone in my circles who has contacts to Brandt Kettwick Defense in #minneapolis in #minnesota?

They have a (IMHO very serious) data #leak and we are trying to get into contact with them for quite some time now. Among other things we have sent them very detailed information about the leak via email and their contact form. When called, they hang up (public number may be a call center that has no idea what we talk about).

They're either thinking we're trying to phish them or we get stuck in their spam filters. At least we don't hear back from them and the leak is still open. So I am looking for someone whom they'll listen to.

So if anyone has a chance to get hold of them, we would be grateful.

We are also trying to get the PDs in Hopkins and Anoka as well as the Bureau of Criminal Apprehension involved. The data leaked affects them indirectly.

Infosec ExchangeMartin Seeger (@masek@infosec.exchange)**PostMortem: Data Leak Brandt Kettwick Defense** ### Type of leak Azure Blob with the multi-year archive of a law defense firm. Files were readable and indexable for anyone. The leak contained data like search warrants, master case files from law enforcement, interviews with victim, accused and victim of sexual assault cases and much, much more. In total there were several tenthousand documents. URL of the leak was: https://brandtdefense.blob.core.windows.net/ ### Threats from the leak I see the following threats: - Confidentiality people seeking legal counsel help is compromised - Privacy of mutliple U.S. citizens compromised - Very likely violation of several laws and ethic guidelines ### Timeline - April 2025: Leak is dicovered by a security researcher. - June 4th 2025: Significance of the leak identified, multiple attempts by the security researcher to close the leak (Email, Web Contact), no reply during the complete incident - June 12th 2025: A second security reseracher attempts to contact the law defense firm, no reply till the end. Calls to the designated phone number were hung up by the law firm. - June 19th 2025: FBI and Hopkins (Minnesota police department) are informed. - June 21st 2025: I join the effort. Email directed to the owner of the comany and one identified affected person. Not reply during the complete incident. - June 25th 2025: Second security researcher reaches out to the Minnesota Bureau of Criminal Apprehension (BCA). They reply nearly immediately that they will investigate, - June 29th 2025: I make a [public post](https://infosec.exchange/@masek/114767334753058478) and ask for help to get the attention of the law firm. The second researcher reaches out again to the BCA. - July 2nd 2025: Leak is closed. BCA answers that they were unable to get the attention of the law form via phone and email, so they send officers on site to convey the seriousness of the leak. They also say that the law firm had asked their IT department and it denied any possibility of a leak. ### Analysis This is not a complete failure analysis. These are only my own observations. Looking Failures: - The chosen IT department was unable to adhere even to the most basic levels of data security. - Even when asked by the customer, the IT department denied the possibility of a leak. - The law firm has no proper process to deal with external IT security alerts. - Lack of understanding concerning the responsibility on the side of the law firrm. Outsourcing only delegates the work but not the legal obligations. ### Impact It can be safely assumed (due to duration and easiness to discover) that all data on those server is now in the hands of inttelligence services (e.g. Russia, China) and cyber criminals with little care about the privacy of US citizens. Especially for people looking for material to blackmail people, this leak was a gold mine. ### Acknowledgments Thanks to @JayeLTee and @PogoWasRight for doing most of the work. A description of the incident from the viewpoint of Dissent can be found [here](https://databreaches.net/2025/07/04/no-need-to-hack-when-its-leaking-brandt-kettwick-defense-edition/). Furthermore I wish to praise the work of Minnesota Bureau of Criminal Apprehension. Also thanks to @TonyYarusso and @bkoehn@hachyderm.io for assisting us in getting the necessary attention. ### Closing Remarks **It is clearly necessary that we have at least one public contact in each country that investigates and closes data leaks reported to them. The effort to close even the worst leaks is unbearable and currently rests on the shoulders of security researchers and their supporting environment.** Time spent on this leak from my side (without the time for this report) is 4+ hours. My best estimate on the effort of all people involved closing this leak would be in the hundreds of hours. The amount of time spent by the person responsible for the leaking system on security issues: None.
TPushic

#help I have a small leak coming out of a vertical drain pipe in the garage where a corner piece connects to a downward straight piece. Leak is at the joint. Bought radiator pipe wrap as a temporary band aid. Question: do I wrap top to bottom or bottom to top??? Does it matter?? #plumbing #water #leak #pipe

TrendingLive feeds
About